Modify

Opened 4 years ago

Closed 4 years ago

#10689 closed defect (invalid)

Realm not being used for password hash?

Reported by: james Owned by: Steffen Hoffmann
Priority: low Component: AccountManagerPlugin
Severity: normal Keywords: needinfo SessionStore
Cc: Ryan J Ollos Trac Release: 0.11

Description (last modified by Steffen Hoffmann)

As a test I set the password of my user (james) through the account settings on trac to 'helloworld'. In the database this set the password to ':f4a19cee25aae3fe30d7a319fb7c5144'

I can reproduce this hash like so:

echo -n james::helloworld | md5
f4a19cee25aae3fe30d7a319fb7c5144

However I thought trac would use the realm set in trac.ini to essentially do this:

echo -n james:TracDB:helloworld | md5
8c41eb73b4e4d22f173b2a302d52dfdd

I'm obviously missing something, can anyone see what is it? Here are my account manager settings:

[account-manager]
account_changes_notify_addresses =
hash_method = HtDigestHashMethod
db_htdigest_realm = TracDB
password_store = SessionStore
login_attempt_max_count = 3
user_lock_time = 30
user_lock_time_progression = 1

[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.admin.accountmanageradminpages = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.notification.accountchangelistener = enabled
acct_mgr.notification.accountchangenotificationadminpage = enabled
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.emailverificationmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = disabled
acct_mgr.web_ui.resetpwstore = disabled
trac.web.auth.loginmodule = disabled
tracopt.versioncontrol.git.* = enabled

Attachments (0)

Change History (4)

comment:1 Changed 4 years ago by Steffen Hoffmann

Description: modified (diff)
Keywords: SessionStore added

reformatting for readability

comment:2 Changed 4 years ago by Steffen Hoffmann

Cc: Ryan J Ollos added; anonymous removed
Keywords: needinfo added
Trac Release: 1.00.11

What AcctMgr version are you testing?

Your configuration looks like a mix of

  • acct_mgr-0.3 (acct_mgr.web_ui.emailverificationmodule) and
  • acct_mgr-0.4 (db_htdigest_realm).

And from your example hash entry :f4a19cee25aae3fe30d7a319fb7c5144 you can see, that the db_htdigest_realm option is ineffective in your particular setup. So most probably you're running acct_mgr-0.3.x with some options meant for the current plugin version 0.4, and should clean-up and upgrade before going on.

With unit tests for SessionStore in place even for the old-stable plugin version you should be able to verify, that is works as expected with acct_mgr.tests.db.HtDigestTestCase.

Side-note: On our ticket creation page you've been advised to prefer the mailing-list for local installation/configuration issues. Honestly, its a big red box in the top of the page. But still you stepped into the development tracking system, that is not meant for general user support. Just assuming software issues here is not a nice play. Would you be so kind as to take care a little more next time, please? Thanks.

comment:3 Changed 4 years ago by Steffen Hoffmann

Priority: normallow

Despite of knowing about a possibly weak configuration, and without trying to get support from the mailing-list first, you suggested a software issue by creating a bug report here.

As you see, we do still care, but demand interaction and response from reporter's side in return.

comment:4 Changed 4 years ago by Steffen Hoffmann

Resolution: invalid
Status: newclosed

If you're rather clue-less, please test recent development code from trunk branch, and make sure to go for acct_mgr-0.5 as soon as it has been released.

This should really help for getting a working Trac authentication configuration for both use cases, with AccountManager's login HTML form or HTTP authentication driven by the web-server and its password file optionally managed by AccountManager in turn. For additional hints see #8930.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.